From af18d16c284ac5c5ec8c2eced0dec07d41eafd1d Mon Sep 17 00:00:00 2001
From: Bob Callaway <bobcallaway@users.noreply.github.com>
Date: Fri, 27 Nov 2020 06:49:25 -0500
Subject: [PATCH] turn on gosec and resolve blocking issues (#55)

* turn on gosec and resolve blocking issues
---
 .github/workflows/main.yml | 7 +++++++
 cmd/cli/app/verify.go      | 7 ++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 21cb901..4196e58 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -29,3 +29,10 @@ jobs:
       # Test It
       - name: Test
         run: go test -v ./...
+      # Gosec It
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@v2.5.0
+        env:
+          GOROOT: ""
+        with:
+          args: ./...
diff --git a/cmd/cli/app/verify.go b/cmd/cli/app/verify.go
index 570613c..4c1c093 100644
--- a/cmd/cli/app/verify.go
+++ b/cmd/cli/app/verify.go
@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/projectrekor/rekor/pkg"
 	"github.com/projectrekor/rekor/pkg/log"
@@ -46,11 +47,11 @@ var verifyCmd = &cobra.Command{
 		}
 
 		// Signature and Public Key are always required
-		sig, err := ioutil.ReadFile(signature)
+		sig, err := ioutil.ReadFile(filepath.Clean(signature))
 		if err != nil {
 			log.Fatal(err)
 		}
-		pubKey, err := ioutil.ReadFile(pk)
+		pubKey, err := ioutil.ReadFile(filepath.Clean(pk))
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -64,7 +65,7 @@ var verifyCmd = &cobra.Command{
 		var body []byte
 		if isLocal {
 			var err error
-			body, err = ioutil.ReadFile(artifact)
+			body, err = ioutil.ReadFile(filepath.Clean(artifact))
 			if err != nil {
 				log.Fatal(err)
 			}
-- 
GitLab